Posted: April 21, 2020


In recent years, we have seen a dramatic shift in both the private and public sectors towards Multi-Factor Authentication (MFA) for enterprise remote access services.  As more and more organizations have continued to adopt MFA, cyber criminals have continued to identify increasingly clever ways to circumvent these controls.  And while any MFA implementation is better than none at all, there are definitely better and worse ways to accomplish it.  With so many different implementation options, it is not unreasonable to ask – “What is the right way to MFA?”.

What is MFA?

For the purposes of this article, we’ll use the de facto text-book definition for Multi-Factor Authentication, which is any combination of at least two of the three (generally accepted) types of authentication:

  • Something you know – Such as passwords, security questions, etc.
  • Something you have – Such as a hardware token, physical access card, etc.
  • Something you are – Biometric identifiers (fingerprints, retinal scan, voice, etc.)

The most common approaches to MFA include:

  • Security questions – Questions about personally defining characteristics that are unique to a person (high school mascot, street they grew up on, etc.). It should be noted that supplementing password authentication with security questions is not actually MFA (because both fall into the “Something you know” category).  But that observation aside, it is not uncommon to see sites using it for this purpose.
  • Out-of-Band OTP (“One Time Password”) Delivery – The process of generating a temporary token/password value, with a short expiry (usually between 30 seconds and 5 minutes) that is granted to the user via a secondary out-of-band communication. Common out-of-band delivery mechanisms include:
    • SMS – Code sent to the user over SMS text message (to a previously supplied mobile number)
    • Email – Code is sent to the user over email (to a previously supplied email address)
    • App – Code is sent to the user via a custom app (in most cases, either a mobile app or desktop app)
  • Algorithmically Generated OTP (“One Time Password”) – The usage of this is similar to OTP out-of-band delivery but doesn’t require the user to have real-time access to a secondary communication mechanism. This is accomplished through some mathematical wizardry.  A common algorithm is run on both the server side and MFA client that defines how an MFA OTP code value will change over time, and each MFA user has a unique seed value that is used in the algorithm to generate unique values over time.  Common examples of these include:
    • Hardware Fob – A physical token that generates a One-Time-Password that changes over time (a commonly used example is the RSA hardware key fobs)
    • Authenticator App – An app that generates unique numerical values over time (such as Google Authenticator or Symantec VIP)
  • Push Request – This form of MFA consists of sending an out-of-band request to a known user (usually via a mobile app) to authorize a login.

Stopping the Bleeding

One of the most notable advantages of implementing Multi-Factor Authentication, is that it helped organizations to stop the bleeding associated with credential harvesting phishing attacks.  It had become common-place for organizations to get breached by attackers who would setup an “evil-twin” clone of a legitimate remote access service, and then use social engineering to entice victims to login to those fake sites.  Once the username and password of the victim were acquired by the fake site, the attacker could then use those credentials to login to the actual remote services and gain unauthorized access to the organization’s sensitive data resources.

Figure 1 – Example of a classic credential harvesting attack

In the past, common implementations of MFA sufficiently mitigated this type of attack.  Even if an attacker was able to successfully compromise a victim’s username and password through a well-crafted phishing attack, they would be unable to access the legitimate site due to the requirement for a second factor.  As more security conscious organizations began moving to MFA for all of their remote access services, most hackers turned their focus towards the “low-hanging fruit” (i.e. the more vulnerable targets who had not implemented MFA).  But with each passing year, that “low-hanging fruit” is becoming less and less available (today, it is rare to see any established organizations not employing MFA on their perimeter) – and cyber criminals have become hungry.  Even opportunistic attackers have begun to innovate and find new ways to circumvent these common implementations of MFA.

The Emerging Threat

One of the more sophisticated, but increasingly common ways that attackers are bypassing MFA, is real-time replay attacks.  This is the latest evolution of the classic credential harvesting attacks that we described above.  The below diagram shows how this attack has changed over-time to successfully exploit most MFA implementations.

Figure 2 – New real-time replay credential harvesting attack

Similar to the classic attack, the hacker will create an “evil twin” clone of the legitimate web service.  But in this version, the malicious website will prompt for the full authentication sequence (both primary and secondary factors), and instead of just collecting those, the malicious site will have an automated process to replay those credentials in real-time to the legitimate website (while the second factor token is still valid). The attacker can then assume the compromised session, thereby granting them access to the web-service.

Unfortunately, every single form of MFA discussed above is vulnerable to this form of attack.  Fortunately, all hope is not lost.

Enter U2F (“Universal 2nd Factor”)

In this endless game of cat and mouse that is played between hackers and cyber security professionals, there is a way to once again reclaim the upper hand.  The FIDO (“Fast Identity Online”) Alliance has delivered an open standard for strong cryptographic authentication called U2F (“Universal 2nd Factor”), which effectively eliminates the risk associated with real-time replay attacks.  The technical details are beyond the scope of this article, but in simple terms, this specification leverages asymmetric key cryptography to securely authenticate and validate the identity of users.  The use of these cryptographic routines effectively mitigates replay attacks, as it is impossible to replay the authentication sequence without breaking the trust.  If you are interested in the technical specifics, these can be found on the FIDO Alliance website.

The “Right Way”, is also the hard way

While the answer to this question is simple, the implementation is not.  Some of the most security-conscious organizations have already adopted U2F, but many organizations have been hesitant to do so.  Most of the major MFA and identity services now support U2F, and many of the major cloud services also support it.  However, the actual implementation of this standard within an enterprise environment is no small hurdle to overcome.  Implementation requires custom hardware tokens and/or installation of custom software, and support of such a program requires significant overhead (issuing tokens, managing lost tokens, account access recovery, etc.).  Many organizations have been hesitant to adopt the standard because of this additional effort required.

However, this argument probably sounds familiar.  Approximately 5 years ago, many organizations were slow to adopt the classic forms of MFA for the same reason.  It was “too hard to implement” and it did not create a “user-friendly” experience.  As time passed and more organizations became front-page news due to such attacks, MFA became more widely adopted.  And we will likely see that same timeline play out again over the next 5 years with U2F.  There will be some organizations who recognize the emerging security risk and will quickly move to the more secure option of U2F.  For those that lag behind, it will likely become a game of roulette – where each organization hopes that they do not become the unfortunate headline, which causes the rest of the world to acknowledge the importance of such controls.

A Question of Risk Management

If security was the only consideration, this would be a no-brainer.  But business is more than just security.  For every organization, this ultimately becomes a question of risk management.

Is the annual cost of implementing and supporting FIDO-compliant MFA less than the ALE (Annualized Loss Expectancy) that would result from a related breach of security?

But unfortunately, even that question is hard to answer.  As any risk management professional will tell you, forecasting ALE is not an exact science and requires a lot of assumptions.  For some organizations (such as regulated industries that could incur significant fines, or companies with invaluable intellectual property at stake), the answer might already be an obvious “yes”.  But regardless of what industry/sector you are in, or what the answer to that question is today… as these attacks become more and more prevalent, the necessity to adopt stronger authentication practices is fast approaching.

Be on the lookout next week for the second part of this two-part series, where we’ll focus on best practices related to classic MFA implementations.


This blog was written by Justin Hutchens, Consulting Services Practice Lead at Set Solutions.